From 6dd98bd8569eb1ffc1d159fa96d4f8c23c229f91 Mon Sep 17 00:00:00 2001 From: Ember Date: Sat, 4 Apr 2026 16:49:26 -0700 Subject: [PATCH 1/2] Fix stack buffer overflow in writeRadioPosition and writeTalkerAlias Both functions copy packet data into 50-byte stack buffers without validating the length parameter. Add bounds checks to reject packets that would overflow the buffer or cause unsigned underflow. --- DMRNetwork.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/DMRNetwork.cpp b/DMRNetwork.cpp index 8e96acd..cf110c6 100644 --- a/DMRNetwork.cpp +++ b/DMRNetwork.cpp @@ -252,6 +252,9 @@ bool CDMRNetwork::writeRadioPosition(const unsigned char* data, unsigned int len if (!m_location) return false; + if (length < 4U || length > 50U) + return false; + unsigned char buffer[50U]; ::memcpy(buffer + 0U, "DMRG", 4U); @@ -268,6 +271,9 @@ bool CDMRNetwork::writeTalkerAlias(const unsigned char* data, unsigned int lengt if (m_status != STATUS::RUNNING) return false; + if (length < 4U || length > 50U) + return false; + unsigned char buffer[50U]; ::memcpy(buffer + 0U, "DMRA", 4U); From 891a2a87b7f61945f9ffe8a373e98b27d132e1da Mon Sep 17 00:00:00 2001 From: Ember Date: Sat, 4 Apr 2026 17:02:53 -0700 Subject: [PATCH 2/2] =?UTF-8?q?Fix=20upper=20bound=20in=20length=20check:?= =?UTF-8?q?=2050=20=E2=86=92=2046=20to=20match=20buffer=20geometry?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The memcpy writes (length - 4) bytes at offset 8 into a 50-byte buffer, so the maximum safe length is 46 (8 + 42 = 50), not 50. With length=50 the previous check still allowed a 4-byte stack overflow. --- DMRNetwork.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DMRNetwork.cpp b/DMRNetwork.cpp index cf110c6..290f613 100644 --- a/DMRNetwork.cpp +++ b/DMRNetwork.cpp @@ -252,7 +252,7 @@ bool CDMRNetwork::writeRadioPosition(const unsigned char* data, unsigned int len if (!m_location) return false; - if (length < 4U || length > 50U) + if (length < 4U || length > 46U) return false; unsigned char buffer[50U]; @@ -271,7 +271,7 @@ bool CDMRNetwork::writeTalkerAlias(const unsigned char* data, unsigned int lengt if (m_status != STATUS::RUNNING) return false; - if (length < 4U || length > 50U) + if (length < 4U || length > 46U) return false; unsigned char buffer[50U];